Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

The annual Facebook F8 conference is generally a developer conference and not typically the place where security has been on the keynote stage, but that wasn't the case for the 2018 event.

At the F8 2018 event on May 1, Facebook CSO Alex Stamos delivered a keynote address that explained how Facebook secures itself and its users. Stamos also provided some insights and ideas for the developers in the audience on steps they can take that benefit from the lessons learned by Facebook.

"Protecting people's data and all the technical work that goes into that is extremely important, but it turns out that doing that is not enough," Stamos said.

Further reading

Stamos said that Facebook has had to adjust to the modern reality that security is about more than just building a secure and trustworthy system. In the modern threat environment that Facebook deals with, it's also important to understand how technology can be abused to cause harm.

Broadly speaking, Stamos said that the core areas for security at Facebook include how to protect the company from attack, how to protect users from abuse and also looking at larger issues such as Facebook's role in election security and integrity.

Protecting the Company

Stamos said that Facebook has a corporate security team that deals with common information security challenges that every company in the world faces.

"Our challenge is a little bit bigger because we have some of the best adversaries in the world trying to break into our corporate networks, but in the end it's not that different than the kind of things you hear from lots of companies," Stamos said. "We need to think about identity management and access control; we have to do vulnerability management; we have to build secure internal portals and systems that can withstand attack."

Facebook also has very large production engineering security component, he noted, employing individuals who secure the actual production servers in Facebook's data centers containing user data. Facebook also has a dedicated security engineering team that is concerned with how data is accessed, used and deleted at scale across the social network.

Stamos said that in the past, security was often considered a final step in the development process by most application developers. However, at Facebook security is built into the development lifecycle, with peer review and human checks, as well as automated code testing as part of a continuous workflow, he said.

Even with all the integrated security resources at Facebook, there are still issues that slip through. That's where the bug bounty comes into play, providing another set of external resources that can help Facebook to find potential risks. Stamos said that Facebook has paid out a total of $6 million in bug bounties to third-party security researchers for responsibly disclosing flaws.

Facebook has also built its own open-source tool called osquery, which was launched in 2014. Stamos said that osquery runs on every system at Facebook to show what is running on system as well as revealing signs of potential intrusions.

Going a step further, Stamos said that Facebook has a "red team" of security penetration testing professionals that run scheduled and unscheduled exercises against Facebook products and infrastructure. The red team pretends to be a real adversary that tries to break into the Facebook network to go after an objective. Stamos said that the red team model tests Facebook's abilities to detect and respond to a potential breach.

Protecting People

In terms of protecting people, Facebook has anti-harassment teams that look to curb abuse in news feeds and video. Facebook also has specific areas of focus for abuse including election security. Stamos outlined multiple steps that Facebook is now taking to to protect elections, with an advertising transparency effort, activities to combat false news and efforts to combat foreign interference.

"I'm not going to say that we don't have more work to do," Stamos said. "We have a lot of work to do to understand our responsibility and live up to that responsibility around the world, but I am encouraged that with support from the company from all over, we have teams all over Facebook that care incredibly deeply about this."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.